VNET Integration for HealthCare Agent Orchestrator

[vvenglaturmsft]

Purpose

Introduces comprehensive network security architecture with Virtual Network (VNet) integration for the Healthcare Agent Orchestrator. Adds network isolation by deploying App Service within a dedicated VNet subnet with proper delegation and security controls
Implements Microsoft 365/Teams IP restrictions to ensure secure integration while maintaining controlled access
Establishes foundation for enhanced security options including private endpoints and Application Gateway integration
Provides configurable network parameters allowing organizations to customize VNet address spaces and subnet configurations for their environments

Does this introduce a breaking change?

[x ] Yes
[ ] No

Pull Request Type

What kind of change does this Pull Request introduce?

[ ] Bugfix
[x ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

• Get the code

git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install

• Test the code

Redeploy the new network changes and test using msft teams or with the healthcare agent orchestrator ui . 

What to Check

Verify that the following are valid

VNet and subnet creation - Confirm VNet is created with correct address space (10.0.0.0/16 default)
App Service VNet integration - Verify App Service is properly integrated with the subnet
IP restrictions configuration - Confirm Microsoft 365/Teams IP ranges are correctly applied
NSG rules - Validate Network Security Group allows HTTP/HTTPS inbound and required outbound traffic
Service endpoints - Verify service endpoints are configured
Teams bot functionality - Test that healthcare agents work correctly in Teams after deployment

Other Information

For existing deployments: This PR introduces VNet integration which requires complete recreation of deployments - App Service outbound IPs will change to the VNet subnet range and external services whitelisting your current IPs must be updated. Recommended approach: Deploy new VNet-enabled environment alongside existing one, test thoroughly, then switch traffic after verification. For fresh deployments: No impact as VNet is included from the start.

[matthiasblondeel]

Still need to do some E2E testing but this looks good to me

[matthiasblondeel]

Why even have a network location parameter, if it has to be the same as the app service.
I think you can just remove it

[vvenglaturmsft]

this is complete

[matthiasblondeel]

Does this mean that by default, the web gui won't load either?

That's fine, just checking. If that is the case, maybe we can add an option to specify either your private IP range, or a "allow unsecure option"?

[vvenglaturmsft]

For this can we add a note in network.md and have it default to Allow. We have to add their public ip or make it public or open up their corp vpn range etc. Can we for now just make it public and i will add a note in their network.md. Since everything else is also kind of public

[vvenglaturmsft]

The problem is then in that case the ip restrictions that we have added might not be relevant any more.. let me think a bit more on this

[vvenglaturmsft]

Changes made to introduce a new parameter that would allow you to specify ip. Have tested it with my public ip.

[matthiasblondeel]

Add an entry in the README.md under docs
https://github.com/Azure-Samples/healthcare-agent-orchestrator/blob/main/docs/README.md

[vvenglaturmsft]

Done

[matthiasblondeel]

Looks good. I'm running one more test. And have some minor doc feedback

[matthiasblondeel]

This is good, but there is also a README under docs with additional links if you could add there

[vvenglaturmsft]

done

[matthiasblondeel]

for development/debugging or using the react client app.

[matthiasblondeel]

Can you also add a note under step 6 that by default the chat application won't be accessible unless someone adds their IP to the list of additional allowed IPs?

[vvenglaturmsft]

done